Hardware Security Modules: Attacks and Secure Conﬁguration2014.hackitoergosum.org/slides/day2_Hardware_Security_Modules:... · - Encrypted PIN Pads (EPPs) and Hardware Security

Graham Steel April 2014

Hardware Security Modules:Attacks and Secure ConfigurationGraham Steel

Graham Steel - HSM Attacks and Secure Configuration April 2014 - 2/ 56

Secure Hardware History

Military:WW2 Enigma machines- captured machines used to help break codesNSA devices with explosive tamper resistance-http://www.nsa.gov/about/cryptologic_heritage/museum/

Commercial:IBM: Cryptoprocessors for mainframes- tamper-resistant switches on caseATMs (cash machines)- Encrypted PIN Pads (EPPs) and Hardware Security Modules(HSMs)


http://www.nsa.gov/about/cryptologic_heritage/museum/

Secure Hardware History - 2

Cryptographic Smartcards- chip contains cryptoprocessor and keys in memory- used in SIM cards, credit cards, ID cards, transport. . .Authentication tokens- generate One-Time Passwords, sometimes USB connectionTrusted Platform Module (TPM)- now standard (but unused) in most PC laptopsThe future..- Secure Elements in mobile phones, cars,. . .


Example - Cash Machine Network

I Introduced in the UK in the late 1960sI First modern machines (with DES) in the 70s and 80sI More than 2 million ATMs worldwideI Network is now global and ubiquitous (at least in cities)


Simplified Network Schematic

ATM

HSBC

Maestro UK

SocGen


HSMs

I Manufacturers include IBM, nCipher, Thales, Utimaco, HPI Cost around $20 000


A Word About Your PIN

IBM 3624 method:1. Write account number (PAN) as 0000AAAAAAAAAAAA

2. 3DES encrypt under a PDK (PIN Derivation Key),decimalise first digits

3. PIN = IPIN + Offset (modulo 10 each digit)

NB: Offset NOT secure!


API attack example: VSM (Bond, 2001)


Example: Print Customer PIN

PAN {PAN}PDK1

{PDK1}KM

KM

Secure Printer

Host → HSM : PAN, { PDK1 } Km

HSM → Printer : { PAN } PDK1


Example: Send PDK to Terminal

{PDK1}TMK1

{PDK1}KM

KM{TMK1}

KM

Host → HSM : { PDK1 } Km, { TMK1 } Km

HSM → Host : { PDK1 } TMK1


Terminal Comms Key

{MSG}TC

KM TMK1


Managing Key Types


Example: Enter TC key

Host → HSM : TCHSM → Host : { TC } Km2


Example: Send TC to Terminal

Host → HSM : { TC } Km2, { TMK1 } Km

HSM → Host : { TC } TMK1


Attack - Step 1

Spy → HSM : PANHSM → Spy : { PAN } Km2


Attack - Step 2

Spy → HSM : { PAN } Km2, { PDK1 } KmHSM → Host : { PAN } PDK1


IBM 4758 CCA API


CCA Types - 1

The Common Cryptographic Architecture (CCA) API uses thesame ‘master key’ architecture as the VSMHowever, the (patented) type system is much richerBefore encrypting a working key, the master key is XORed againsta ‘control vector’ indicating the type of the keyThe control vectors are public values (they can be found in theprogrammers’ manual), but the master key is secretControl vectors can be composite, i.e. they may consist of anumber of values XORed together


CCA Types - 2


CCA API - Examples

Encrypt Data:Host → HSM : { d1 } km⊕data, messageHSM → Host : { message } d1

Verify PIN:Host → HSM : { PINBlock } p1, PAN, { pdk1 } km⊕pin,

OFFSET, { p1 } km⊕ipinencHSM → Host : yes/no


Bootstrapping

A common problem in the use of secure hardware

How to get the initial secrets onto the device (or encrypted by thedevice’s master key) in a secure way?

A common solution is ‘separation of duty’: several members ofstaff are given individual parts of a secret.

Each individual part is worthless, so only collusion between severalstaff members can expose the secret.


Importing Key Parts

Separation of duty between e.g. 2 security officersKey k = k1 ⊕ k2

Host → HSM : k1, TYPEHSM → Host : { k1 } km⊕kp⊕TYPE

Host → HSM : { k1 } km⊕kp⊕TYPE, k2, TYPEHSM → Host : { k1 ⊕ k2 } km⊕TYPE

This is a tedious and expensive process, so usually used to importa ‘key encrypting key’ ({ KEK } km⊕imp)


Importing Encrypted Keys

Exported from another 4758 encrypted under KEK⊕ TYPE

Key Import:Host → HSM : { KEY1 } KEK⊕TYPE, TYPE, { KEK } km⊕impHSM → Host : { KEY1 } km⊕TYPE


Attack (Bond, 2001) (part 1)

PIN derivation key: { pdk } kek⊕pinHave key part { kek⊕ k2 } km⊕imp⊕kp for known k2

Host → HSM : { kek⊕ k2 } km⊕kp⊕imp, k2⊕ pin⊕ data, impHSM → Host : {kek⊕ pin⊕ data} km⊕imp


Attack (Bond, 2001) (part 2)

Key ImportHost → HSM : { pdk } kek⊕pin, data,

{ kek⊕ pin⊕ data } km⊕impHSM → Host : { pdk } km⊕data

Encrypt dataHost → HSM : { pdk } km⊕data, panHSM → Host : { pan } pdk (= PIN!)


IBM Recommendations

Published in response to Bond’s attacks

1. Use asymmetric key crypto for key import – 2 officer protocolto generate key pair at destination, transfer public key tosource – PKA Symmetric Key Import command

2. More access control – security officers access fewer commands3. Procedural controls to check entered key parts

2 and 3 verified in a few seconds, but 1 has a simple attack..


Attack on 1 (Cortier, Keighren & S. ’07)

{kek.IMP}PK → {kek}KM⊕IMP PKA Symmetric Key Import

{k.EXP}PK → {k}KM⊕EXP PKA Symmetric Key Import

{pdk}kek⊕PIN , PIN , {kek}KM⊕IMP → {pdk}KM⊕PIN Key Import

{pdk}KM⊕PIN , PIN , {k}KM⊕EXP → {pdk}k⊕PIN Key Export


Summary of First half

I Secure hardware is more and more prevalentI The API of the hardware is a security critical part of designI Have seen attacks on VSM, CCAI In the next half we’ll look at specific attacks on PIN

processing


Further reading

R. Anderson, Security Engineering, Wiley (2nd Ed.)

M. Bond and R. Anderson, API Level Attacks on EmbeddedSystems, IEEE Computer Magazine, 2001

D. Longley and S. Rigby, An Automatic Search for Security Flawsin Key Management Schemes, Computers and Security, 1992,

V. Cortier, G. Keighren and G. Steel, Automatic Analysis of theSecurity of XOR-based Key Management Schemes, TACAS ’07

The Analysis of Security APIs Workshop,http://www.lsv.ens-cachan.fr/~steel/asa/


http://www.lsv.ens-cachan.fr/~steel/asa/

Photo: redspotted/Flickr


Introduction to PIN Processing

Processing of PINs in the international cash machine network isone of the oldest and most widespread uses of cryptographichardware

International standards (ISO 9564, ANSI X9.8) and de-factostandards (e.g. Visa’s requirements documents) regulate thenetwork

According to ANSI X9.8 secure hardware must be configured sothat “The system shall not be capable of being used or misused todetermine a PIN by exhaustive trial and error”.



Verizon Breach Report 2008

Released April 2009“While statistically not a large percentage of our overall caseloadin 2008, attacks against PIN information represent individualdata-theft cases having the largest aggregate exposure in terms ofunique records,”“In other words, PIN-based attacks and many of the very largecompromises from the past year go hand in hand.”“We’re seeing entirely new attacks that a year ago were thought tobe only academically possible,”“What we see now is people going right to the source [..] andstealing the encrypted PIN blocks and using complex ways toun-encrypt the PIN blocks.”(Quotes from Wired Magazine interview with report author, BryanSartin)


Known Major Breaches

2008 Feb Citibank $3.6M

2008 Nov RBS worldpay $9.4M

2011 May FIS $13M

2012 December RAKBANK $11M

2013 February Bank of Muscat $45M

Symatec report: ”tens of millions” lost to ATM heists in 2012 justin Europe:http://www.bloomberg.com/news/2013-05-07/

banks-say-fed-should-lead-in-cybersecurity

-for-industry.html


Simplified Network Schematic

ATM

HSBC

Maestro UK

SocGen


PIN Processing API

We can see that the PIN processing API of the HSM will have to(at least):

I Translate PINsI Verify PINsI Generate PINs

We’ll look at these APIs (and attacks on them).There are also functions to

I Change PINsI Print PINs

which we won’t have time for today


Deriving a PIN: IBM 3624 Method

1. Write account number (PAN) as 0000AAAAAAAAAAAA

2. 3DES encrypt under a PDK (PIN Derivation Key)

3. Take 4 leftmost hexadecimal digits of result

4. Decimalise using a mapping table (’dectab’)

0123456789ABCDEF

0123456789012345

5. PIN = IPIN + Offset (modulo 10 each digit)


PIN Verification

Verify PIN:

{PIN}K,PAN,Dectab →Offset

yes/no ←

K, PDK


The Mastermind Game

I Invented by the Israeli postmaster and telecommunicationsexpert Mordecai Meirowitz in 1970;

I 4 pegs from 6 possible colors, duplicates are allowed.I The codemaker chooses a sequence of 4 pegs, the

codebreaker has to guess itI Goal: Minimize the number of guesses


Decimalisaton Table Attack (Clulow ’02, Bond & Zeilinski’03)

Suppose in a hacked switch, an attacker has a set{PIN}K,PAN,Dectab,Offset that verifies PIN is correct

Original Dectab0123456789ABCDEF

0123456789012345

Dectab’0123456789ABCDEF

1123456789112345

Repeat verification command with Dectab’Successful verification indicates no 0s in PIN


More dectab attack

To find the 0s, try changing the offset

Attacker set offset Result from HSM Knowledge of PIN0001 Incorrect PIN ????0010 Incorrect PIN ????0100 Incorrect PIN ????1000 Incorrect PIN ????0011 Incorrect PIN ????0101 Correct PIN ?0?0


What’s the Best Strategy for the Dectab Attack?

Allows us to assess the seriousness of the attack

I Bond’s original scheme (2003) : 16.5 guesses on average– Go through all the different dectabs, get a list of digits– For each digit, use the offset to find out where it is

I Steel (2006) : 16.145 guesses– Find a digit, use the offset to find out where it is, repeat

I Focardi + Luccio (2010) : 13.463 guesses– Start by trying two digits at a time

(not known if this is optimal, but log2 10000=13.362 to 3dp)


PIN Block Formats

Padding formats to encode a PIN for encryptionMust be 64 bits long for 3DESMust allow PIN length to be determined (e.g. in Italy, 5 digits)

VISA format 3

PPPPFFFFFFFFFFFF

Same PIN block for different users with same PIN


ISO 9564 Formats

Diversify PIN blocks using PAN

ISO 9564 format 0

04PPPPFFFFFFFFFF

0000AAAAAAAAAAAA

Two lines are XORed together before encryption


ISO 9564 Format 1

Diversify blocks using randomnessISO 9564 format 1

14PPPPRRRRRRRRRR

Requires source of randomness


The Translate API

Translate PIN:

{ PINBlock } p1, →Format1, Format2, [PAN]

{ PINBlock } p2 ←

p1, p2

If the decrypted block is not in the correct format, an error isreturned


ISO-0 Reformatting attack

(Clulow, 2003)

04PPPPFFFFFFFFFF

0000AAAAAAAAAAAA

Suppose attacker calls ‘Translate’ function with modified PAN:first A digit A’=A ⊕ 8Error check (0 ≤ P ≤ 9) leaks information


Example

Attacking digit 3 of the PIN by changing digit 1 of the PAN

Change to digit 1 Result from HSM Knowledge of PIN0 ok 0 ≤ P3 ≤ 9⊕8 Format error 0 ≤ P3 ≤ 7⊕12 ok 4 ≤ P3 ≤ 5

Limitations:Always get two possible values for the digitOnly works for digits 3 and 4


Extended Reformat Attack

Masquerade ISO-0 as VISA format 3

04PPPPFFFFFFFFFF

0000AAAAAAAAAAAA

0604PPPPFFFFFFFF

Now two possible errors: non-decimal PIN digit,or padding digit 6= FCan now uniquely determine digits


Example

Change to digit 1 Result from HSM Knowledge of PIN0 ok 0 ≤ P3 ≤ 9⊕8 Format error 2 ≤ P3 ≤ 7⊕12 ok 4 ≤ P3 ≤ 5

Now masquerade the block as VISA⊕10 ok P3 = 5

Note reformatted block has digits shifted two places to the right- so attack can be repeated on PIN digits 1 and 2


Generate Encrypted PIN

Generate Encrypted PIN:

PAN, dectab, offset →Format

{ PINBlock } p1 ←

p1, PDK


Statistical Attack

(see Bond & Clulow 2004)

First calculate a table of encrypted PINs for each offset 0000-9999

Now for a fixed offset, generate EPB for random PDKs

Note that with a fixed standard dectab 0123456789012345, digits0-5 are twice as likely as 6-9.

After generating enough EPBs, we can ‘line up’ distribution anddecrypt all the PINs


(Unpublished) Results on Statistical Attack

(Köpf & S.)

Bond and Clulow quote “2000-10000 calls” for the learning part oftheir attack.

With Boris Köpf we implemented Maximum Likelihood Estimationfor the attack.

On average 216 calls suffice.


“I want to play..”

You can download an open source simulator of one of the mostwidely-used payment HSM, the Thales 8000More than 70% of transactions go through a 8000 series HSM.

https://thalessim.codeplex.com/


https://thalessim.codeplex.com/

Further Reading

Wired Magazine, PIN Crackers Nab Holy Grail of Bank CardSecurity http://www.wired.com/threatlevel/2009/04/pins/

G. Steel. Formal analysis of PIN block attacks. TheoreticalComputer Science 367(1-2), 2006.R. Focardi, F. L. Luccio and G. Steel. Blunting Differential Attackson PIN Processing APIs. In NordSec’09, LNCS 5838.M. Centenaro, R. Focardi, F. L. Luccio and G. Steel. Type-basedAnalysis of PIN Processing APIs. In ESORICS’09, LNCS 5789Mohammad Mannan, P.C. van Oorschot. Reducing threats fromflawed security APIs: The banking PIN case, Computers &Security 28 (6), 2009.


http://www.wired.com/threatlevel/2009/04/pins/

Documents

Hardware Security Modules: Attacks and Secure Conﬁguration2014.hackitoergosum.org/slides/day2_Hardware_Security_Modules:... · - Encrypted PIN Pads (EPPs) and Hardware Security